DIA Board Member, Amy Wood, recently wrote this article for Sally McKenzie. It can be seen in whole on her site HERE
HIPAA Compliance: More than Just Data Breaches
By Amy Wood, President of ACS Technologies, LLC
At this point we have all heard about the data breaches and million dollar fines, and how your HIPAA security alleviates these major concerns. But have you ever thought about all the other ways HIPAA compliance helps your practice?
Human Resources Issues
Imagine a problem employee. The one who casually browses the internet instead of working, even though you’ve told them not to. Worse yet, one who thinks they know enough about HIPAA and holds you hostage for the things you don’t yet have in place.
Proper Training is key to ensuring your staff actually knows and understands HIPAA regulation. Policies & Procedures are another component. Your entire staff should review and sign an acknowledgment of reading which includes privacy, security and technology policies. The most important one is a sanction policy which should outline what happens should the employee violate HIPAA or security in the practice – write up, termination or even jail depending on the violation or repeat violation.
It’s become commonplace for business insurance carriers to ask about basic security. Do you have business grade antivirus? Do you have a firewall? Do you use secure email? Do you have backups? The new trend in insurance is cyber-liability and data breach coverage, as most data breaches are happening in the digital data space. Their questions are even more comprehensive. Do you have the knowledge to answer these questions? If you are covered by a managed service IT provider, they can help you answer all of these.
Patient Insurance Audits
MACRA, the Medicare Access and CHIP Reauthorization Act which was enacted late last year, tied Medicare reimbursement rates to a practice’s level of security and thus, HIPAA compliance. Early in 2017, we started seeing major dental insurance carriers ask for proof of basic security practices as well as HIPAA risk assessments, other HIPAA related documentation and cyber-liability/data breach insurance. Failure to have these things results in lower reimbursement rates after the audit. These are basic business best practices anyway – protect those margins!
Over the years, I have fielded many patient complaints regarding HIPAA and security. One complaint asserted that the doctor, let’s call him Dr. Compliant, had sent multiple patient records to a single patient via unencrypted email. As it turned out, Dr. Compliant had used an encrypted secure email system to send several patient records to a second doctor, Dr. Not-So-Compliant, which was proved through the secure email program.
When the patient requested the x-rays by email, Dr. Not-So-Compliant forwarded the emails with all the files sent from Dr. Compliant on to the patient without checking the contents first, thus breaching the other patients. The patient demanded free treatment in exchange for silence. Thankfully, Dr. Compliant had embraced security and the use of encrypted secure email, and we were able to prove Dr. Compliant did not breach data.
Payment Card Industry (PCI) requires an annual questionnaire that asks numerous questions about paperwork and security, including your technology equipment and setup. Many of these requirements overlap with HIPAA requirements, which are, again, basic business best practices. Unfortunately, many doctors protect credit card data better than full PHI contained in their patient charts.
When we are talking about digital data security, there are simple ways to do it right and many ways to do it wrong. Talk to your IT provider to ensure you are using current standard of care for things like backups, anti-virus, firewall, secure email and patching. Most IT providers will provide you with a package of these services, as it is commonplace as well as expected by the Office for Civil Rights. Your provider doesn’t provide this? Find a healthcare specific IT provider at the Dental Integrators Association.
Amy Wood is a HIPAA Data Breach Mitigator specializing in making dental practices compliant and secure. She is president of ACS Technologies, LLC, a Northern California HIPAA Compliance & IT firm. Amy has written many articles for various dental publications and spoken at dental associations, study clubs and private practices. She runs ACS with her husband, Scott and lives in Santa Rosa, CA with their three daughters.
Amy can be reached at firstname.lastname@example.org